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Amendments to the Claims 

1 Claim 1 (currently amended): A method of improving intrusion detection in a computing 

2 network, comprising steps of: 

3 defining apluraKty_Qf intrusion suspicion levels for use when peribnnxnR_intnision 

4 detection processing on inbound communications destined for a computing device on the 

5 computing network; 

6 for each of a plurality of potential intrusion events, defining a set of at least one 

7 conditions which describe the potential intrusion event: 

8 associating one „ of . thft jd. efi faKl tntJ^gign guidon levels with.eacfr ,ofrtejs£3,pf 

9 conditions; 

10 Hefinmft a plurality of sensitivity levels for filtering intrusion events when performing the 

11 intrusion detection processing: and 

12 performing intrusion detection for a particular inbound communication received ft>r_the 

13 computing device,. fl^h.er,cpi^^ms ?tQp$ pf: 

14 determining whether any of the at least one sets of cond itions are matched; and 

15 if so, using a cpff^ly-applj^ tigged sensitivity levels, in, concert 

1 6 with the d e f ined i ntrusion suspicio n l e vels level associated with the matched conditions, to 

1 7 determine if [[a]] thg particular inbound communicatio n des t ined for the computing device 

1 8 should be treated as an intrusion event. 

Claim 2 (canceled) 
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1 Claim 3 (currently amended): The method according to Claim [[2]] L wherein the determining 

2 step further comprises comparing current conditions in the computing device to pr e det er mined 

3 conditions which signal a potential in tr usi on the conditions defined in at least one of the sets . 



1 Claim 4 (currently amended): The method according to Claim 3, wherein the current conditions 

2 in the computing device comprise contents of the particular inbound communication . 

1 Claim 5 (currently amended): The method according to Claim 4, wherein the current conditions 

2 in the computing device further comprise a protocol state of a protocol stack which processes the 

3 particular inbound communication. 

1 Claim 6 (currently amended): The method according to Claim 1/ further comprising the step of 

2 taking one or more defensive action s w h e n th e u si ng step de t ermines upon determining that the 

3 particular inbound communication should be treated as an intrusion event. 

1 Claim 7 (original): The method according to Claim 6, wherein the defensive actions are 

2 determined by consulting intrusion detection policy information. 

1 Claim 8 (currently amended): The method according to Claim [[6]) 7, wherein the intrusion 

2 detection policy information is stored in a network-accessible repository. 

1 Claim 9 (currently amended): The method according to Claim I, wherein the using st e p farther 
Serial No. 10/058,689 -7- RSW92002001 1US1 
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2 c o mprises co m par in g th e p Articular inbound ujimiiiinitali o n t o defined at least one Set of 

3 conditions represents one or more attack signatures. 

1 Claim 10 (original): The method according to Claim 9, wherein at least one of the attack 

2 signatures is a class signature representing a class of attacks. 

1 Claim 1 1 (currently amended): The method according to Claim [[9]] 1, wherein each of the at 

2 least one set of conditions is aiiacK sigiutams ar e specified a s c o nditi o ns as a condition part in an 

3 intrusion detection [[rules]] rule, and wherein each of the intrusion detection rules further 

4 specifies at least one action comp ri ses one or more actions that a r e t o be taken upon determining 

5 w h e n t he using step determin e s t hat the particular inbound communication should be treated as 

6 an intrusion event. 

1 Claim 12 (currently amended): The method according to Claim 1 , wherein the performing 

2 [[using]] step operates in the computing device for which the particular inbound communication 

3 is destined 

1 Claim 13 (currently amended): The method according to Claim 12 f wherein the performing 

2 [[using]] step operates within layer-specific intrusion detection logic executing in a protocol 

3 stack running on the computing device. 

1 Claim 14 (currently amended): The method according to Claim 1, wherein the performing 
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2 [[using]] step operates in a network device which analyzes communications directed to the 

3 computing device for which the particular inbound communication is destined 

1 Claim 15 (currently amended): The method according to Claim 1, further co m prising s t eps o f: 

2 for each of a p lu r ali t y ufpoLtniiai intrusion events, d e fining a s e t of one or m or e 

3 conditi o ns w hitb describe th e potential intrusion even t ; 

4 associating a sensitivity l e vel with each o f the s e ts of conditi o ns; a nd 

5 dcteimiiiing a suspici o n level of the p articular inbound c unmiunication; 

6 wherein the using step further comprises consulting a stored mapping between _each_of_the 

7 defined_S£Qsitivitv levels and each of the defined intrusion suspicion levels, using the currentlv- 

8 a pplicable one of the defined sensitivity levels and theJntmsion suspicion level associated with 

9 the matched conditions, to determine if determines that the particular inbound communication 

1 0 should be treated as an intrusion ev en t w h e n condi t ions pertaining tu the particular inbound 

11 eommumcation match a selected -o n e of the sets of conditions and the de t ermin e d suspici o n lev e l 

12 ma p s to t he sensitivi t y level associa te d with the sel e ct e d set of c o nditions . 

Claims 16 - 21 (withdrawn) 

1 Claim 22 (currently amended): A system for improving intrusion detection in a computing 

2 network, comprising: 

3 m e ans for defining a plurality of intrusion suspicion levels defined for use when 

4 performing intrusion detectioti4TO_^ssu^LCT inbound communications destined for a computing 
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5 device on the computing network; 

6 for each of a plurality of pot e ntial intrusion events, a defined set of at least om conditions 

7 which describe the poten tial intrusion event: 

8 means for .asgn gathifi one o f the defined intrusion suspicion levels wfth e ach, fifths 

9 defined sets of conditions: 

10 a plurality of Rensttivitv levels defined for filtering intrusion ev ents when performing the 

11 intrusion detection processing: and 

12 means for performing intrusion detection for a particular inbound_communication 

13 received for the computing; device, further comprising: 

14 means fot_determining whether any of the at least one defi ned sets of conditions 

15 are matched: and 

16 £§B» means for using a oirrentlv-applicable one of the defined sensitivity levels. 

1 7 in concert with th e defined intrusion suspiciorrievete level associa ted with the matched 

1 8 conditions, to determine if [[a]] the particular inbound communication destined for the 

19 computing device should be treated as an intrusion event. 

Claim 23 (canceled) 

1 Claim 24 (currently amended): The system according to Claim [[23]] 22, wherein the means for 

2 determining further comprises means for comparing smss* conditions in the computing device 

3 t<i^»iH l Hff m i m«l rrt i utitk>n^ which signal a p ot e ntial intrusion the conditions d efined in at least 

4 one of the sets. 
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1 Claim 25 (currently amended): The system according to Claim 22, further comprising means for 

2 taking one or more defensive action s when the means for using determines upon 4cfrg™ininft that 

3 the particular inbound communication should be treated as an intrusion event, wherein the 

4 defensive actions are determined by consulting intrusion detection policy information. 

1 Claim 26 (currently amended): The system according to Claim 22, wherein afiksf the-means 

2 fui u&ing further comprises means fui compa r ing the particular inbound communicati o n to at 

3 least one set of conditionals o ne or m o re attack MRttatui ts, wherein Hit attack M&iiaturcs art 

4 specified ii - inditiana a condition part in an intrusion detection-rates nile, and wherein each of 

5 the intrusion detection rules fartherronrprises specifies at least one action uneuiiuoa actions 

6 that are to be taken upon determining when the m e ans fo r using dem - mines that the particular 

7 inbound communication should be treated as an intrusion event. 

1 Claim 27 (currently amended): The system according to Claim 22, farther comprising : 

2 foi each of a plurali t y o f pot e ntial intrusion e v e nts, means ftt defining a set of one o r 

3 more conditions whieh describe the potential intrusion event; 

4 means f o r associa t ing a sensitivity level with each of the sets of conditions; and 

5 means for determining a suspi c ion lev e l of t he pa rt i c uta iubound wiumumcation; 

6 ——wherein the means for using further comprises mean s far consulting a stored mapping 

7 between each of the dejSned sensitivity levels and each of the defined intrusion swpje ion levels, 

8 usin g the currently-applicable one of the defined sensitivity levels and the intrusion suspicion 
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level associated with the matched con ditions, to determine if 




particular 



1 0 inbound communication should be treated as an intrusion even t when conditions p ertaining to the 



13 conditions . 

Claims 28 - 3 1 (withdrawn) 

1 Claim 32 (aurently amended): A computer program product for improving intrusion detection 

2 in a computing network, the computer program product embodied on one or more computer- 

3 readable media and comprising: 

4 c omputer»re n^ahi* program mda means far defining a plurality of intrusion suspicion 

5 levels for use when performing intrusion detecti on processing on inbound communications 

6 destined for a computing device on the computing network; 

7 for each of a plurality of potential intrusion events - computer-readable program code 

8 defining a sq t of at leastone conditions which desc ribe the potential intrusion event: 

9 computer-readable program code associating one of the defined intrusion suspicion levels 

10 with each of the sets of conditions: 

11 computer-readable progr*™ defining a plurality of sensitivity levels for filtering 

12 intrusion ev ents when performing the intrusion detection processing; and 

13 comnuter-readable program code for performing intrusion d etection for a particular 

14 inbound communication received for the computing device, farther comprising^ 



11 particular inbound comm un ication ma t ch a selected one o f the sets of mnditions and t h e 

12 determined suspicion level maps t o the sensitivity level associated with the sel e cted set -of 
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15 computer-readable program code for deter ™i"i" ff Aether any of the at least one 

16 sets of conditions are matched: and 

1 7 if so, computer-readable program code [[means]] for using a cmTentty r , ^pplicab|e 

1 s one of the defined sensitivity levels, in concert with th e defined intrusion suspicion leveh level 
1 9 associated with the matched conditions, to determine if [[a]] the particular inbound 

2 0 communication destined fui the computing device should be treated as an intrusion event. 



Claim 33 (canceled) 



1 Claim 34 (currently amended): The computer program product according to Claim [[33]] 22, 

2 wherein the computer-readable program code [[means]] for determining fiorther comprises 

3 computer-readable program code [[means]] for comparing current conditions in the computing 

4 device t o p icdtle r miii L d cuudiliuus which signal a potential iiiLmsi o n the conditions defined in at 

5 least one of the seats, the current conditions in the computing device comprising contents of the 

6 particular inbound communication. 

1 Claim 35 (currently amended): The computer program product according to Claim [[33]) 32, 

2 wherein the computer-readable program code [[means]] for determining farther comprises 

3 computer-readable program code [[means]] for comparing current conditions in the computing 

4 device tt r p r tii'* —"*'"* conditions which * jmuuiihl intrusion the conditions defined in at 

5 least one of the sets, the current conditions in the computing device comprising contents of the 

6 particular inbound communication and a protocol state of a protocol stack which processes the 
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7 particular inbound communication. 

1 Claim 36 (currently amended); The computer program product according to Claim 32, further 

2 comprising computer-readable program code [[means]] for taking one or more defensive actions 

3 upon detenmning when the computefiuuiablt pr o g ra m code nieam for uaiug determines t h at the 

4 particular inbound communication should be treated as an intrusion event, wherein the defensive 

5 actions are determined by consulting intrusion detection policy information stored in a policy 

6 repository. 

1 Claim 37 (currently amended): The computer program product according to Claim [[1]] 32, 

2 wherein th e - cxmiputer*ead able program eode means for using further comprises computer* 

3 iiadabli piogiam mde m e ans for com p aring the pailicular inbound mmmuuiuHiun to defined at 

4 least one set of conditions represents one or more attack signatures, wherein at least one of the 

5 attack signatures is a class signature representing a class of attacks. 

1 Claim 38 (currently amended): The computer program product according to Claim 32, wherein 

2 the computer-readable program code [[means]] for [[using]] performing operates in the 

3 computing device for which the particular inbound communication is destined. 

1 Claim 39 (currently amended): The computer program product according to Claim 32, wherein 

2 the computer-readable program code [[means]] for [[using]] performing operates in a network 

3 device which analyzes communications directed to the computing device for which the particular 
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4 inbound communication is destined. 

1 Claim 40 (currently amended): The computer program product according to Claim 32, farther 

2 comprising: 

3 compulewcadabk. uiugraai code means fui sueutyius, for each of a phualUy ufputmUil 

4 iuuu&iou evenly a set of out ot moie toudilium which describe Uie pultniial iiiuusion event; 

5 computer - readable program uwlt means fui associating a sensitivity level with each uf ibt 

6 sets uf conditions; a nd 

7 computer* readable, program code means for deteammng a suspici o n level of the 

8 partictdai inbound co mmunica t i o n; 

9 wherein the computer-readable program code [[means]] for using further comprises 

10 com puter-readable code for consulting a stored mappin g between each of the defined sensitivity 

11 fcvels and each of the defined intrusion susp icion levels, using the curcenuy-appUcafrle one oftfe 

12 defined sensitivity levels and th e intrusion suspicion level associated vyfth the matched, 

1 3 conditions, to determine determines mat the particular inbound communication should be 

14 treated as an intrusion eve nt whui cuuditiuni. pcrfarimng to the paiuuilai inbound comimmicauon 

15 match a sel e cted one o f the ktis of conditions and die determined suspicion level ma ps to the 

16 s e uu'livity level assucialcd with the selected s e t uf conditions . 

Claims 41-44 (withdrawn) 

1 Claim 45 (new): The method according to Claim 6, wherein the defensive actions are specified 
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2 as actions in a rule in which the matched conditions are specified. 

1 Claim 46 (new): The method according to Claim 6, wherein at least one of the defensive actions 

2 comprises discarding the particular inbound communication. 

1 Claim 47 (new): The method according to Claim 6, wherein at least one of the defensive actions 

2 comprises limiting at least one of resources or traffic associated with a connection on which the 

3 particular inbound communication is received. 

1 Claim 48 (new): The method according to Claim 6, wherein at least one of the defensive actions 

2 comprises dynamically dropping a deny filter into the computing network to shun subsequent 

3 traffic. 

1 Claim 49 (new): The method according to Claim 6, wherein at least one of the defensive actions 

2 comprises reporting the intrusion event to one or more entities. 

1 Claim 50 (new): The method according to Claim 49, wherein reporting the intrusion event to 

2 one or more entities further comprises sending an alert to a management component external 

3 from the computing device for which the particular inbound communication is destined. 

1 Claim 51 (new): The method according to Claim 49, wherein reporting the intrusion event to 

2 one or more entities further comprises writing at least one event record to at least one of a system 
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3 log and a consote- 

1 Claim 52 (new): The method according to Claim 49, wherein reporting the intrusion event to 

2 one or more entities further comprises recording inbound communications associated with the 

3 intrusion event in at least one of a trace or other repository, 

1 Claim 53 (new): The method according to Claim 49, wherein reporting the intrusion event to 

2 one or more entities further comprises writing statistics records on normal behavior to establish 

« 

3 baselines as to what constitutes abnormal behavior for the inbound communications. 

1 Claim 54 (new): The method according to Paim 1, wherein at least one of the defined sets of 

2 conditions specifies a current system state of the computing device. 

1 Claim 55 (new): Tbe method according to Claim 1, wherein at least one of the defined sets of 

2 conditions specifies at least one threshold reached at the computing device. 

1 Claim 56 (new): The method according to Claim 1, wherein at least one of the defined sets of 

2 conditions specifies at least one state transition to be caused, at the computing device, upon 

3 receiving the particular inbound communication. 

1 Claim 57 (new): The method according to Claim 1 , wherein the currently-applicable sensitivity 

2 level is specified, for the computing device, by a systems administrator. 

Serial No. 10/058,689 -17- RSW92002001 1US1 



PAGE 15/27 4 RCVD AT 4/4/2006 1:24:54 PM [Eastern Daylight Time] * SVR:USPTO-EFXRF-1/10* DNIS:2738300 1 CSID:4073437587 ■ DURATION (mnvss):0W)4 



04/04/2606 12:27 4073437587 FAX PAGE 20 



1 Claim 58 (new): The method according to Claim 1, wherein the currently-applicable sensitivity 

2 level is specified, for the computing device, by configuration data in a stored repository. 
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